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1.  Background  and  Motivation 


This  report  describes  a  test  experiment  executed  on  the  US  Army  Research 
Laboratory  (ARL)  Sustaining  Base  Network  Assurance  Branch  (SBNAB) 
Supervisory  Control  and  Data  Acquisition  (SCADA)  hardware  testbed.  This 
initial  test  experiment  has  been  executed  to  demonstrate  SCADA  virtualization 
capability  on  the  testbed.  The  SCADA  hardware  testbed  is  part  of  the  US  Army 
Cyber  Analytics  Laboratory  (ACAL),  which  provides  hardware  and  network 
infrastructure  and  other  support  needed  for  collaboration  between  ARL  and  other 
government  and  commercial  institutions. 

In  this  test,  we  use  a  software-emulated  programmable  logic  controller  (PLC)  and 
public  domain  human  machine  interface  (HMI)  controller  software  instead  of 
actual  PLC  hardware  and  vendor-based  HMI  software.  Both  PLC  and  HMI 
controller  software  run  inside  virtual  machines  (VMs),  allowing  the  entire 
SCADA  system  to  be  virtualized.  In  the  future,  real  PLC  hardware  and 
commercial  HMI  software  will  also  be  used  in  ACAL  SCADA  testbed  research 
experiments. 

This  initial  test  of  the  ACAL  SCADA  testbed  emulates  network  traffic  found  in 
SCADA  systems  (or  Industrial  Control  Systems  [ICS]),  as  we  demonstrate  below. 

2.  Description  of  Test 


2.1  Test  Processes 

The  SCADA  system  emulated  in  this  test  is  that  of  a  conceptual  Meals-Ready-to- 
Eat  (MRE)  manufacturing  process.  The  process  map  for  the  system  is  illustrated 
in  Fig.  1  and  shows  6  PLCs  controlling  various  pieces  of  machinery  used  to 
produce  the  MREs. 
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Fig.  1  Process  map  for  MRE  SCADA  system 


2.2  Virtual  Representation  of  the  MRE  SCADA  system 

The  software  used  in  the  test  emulates  the  traffic  sent  and  received  by  PLCs  and 
HMIs  found  in  MRE  SCADA  processes.  The  PLCs  control  machinery  and  receive 
sensor  inputs  from  physical  plant  components.  HMIs  are  computers  running 
control  software  that  frequently  polls  a  PLC  for  status  information  about  the 
controlled  process.  A  human  plant  operator  monitors  the  HMI  computer  and 
software.  HMIs  may  also  provide  a  capability  for  the  human  operator  to  manually 
control  a  process,  if  needed. 

In  this  experiment,  the  HMI  and  PLC  components  function  within  VMs.  The 
testbed  topology  of  VMs  used  for  the  MRE  SCADA  test  is  depicted  in  Fig.  2.  Six 
pairs  of  PLCs  and  HMIs  have  been  constructed  inside  a  virtual  network,  and  all 
12  VMs  are  connected  to  virtual  switches.  An  attacker,  who  also  has  access  to  the 
virtual  network  via  a  virtual  switch,  can  initiate  attacks  on  the  MRE  SCADA 
system. 
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Fig.  2  Testbed  architecture 


A  more  detailed  diagram  of  the  simulated  SCADA  network  is  shown  in  Fig.  3  and 
additional  information  is  presented  in  Appendix  A.  Experiment  Hardware  and 
Software.  In  this  experiment,  each  HMI  polls  a  simulated  PLC  using  the  industrial 
Modbus  transmission  control  protocol  (TCP).  The  HMI  software  used  in  this  test 
is  the  open  source  Mango  Automation  application,1  while  the  simulated  PLC 
software  is  the  open  source  ModbusPal  Java  application.  When  queried  using  the 
Modbus  TCP  protocol,  ModbusPal  reports  coil  and  holding  register  values  in  a 
manner  similar  to  a  real  PLC.  For  each  HMI-PLC  pair,  Modbus  network  traffic 
will  be  captured  by  the  tcpdump  utility.  This  captured  traffic  is  used  to  check  if 
packet  loss  or  network  errors  occur  in  the  virtualized  hosts  or  network  during  the 
experiment. 
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Fig.  3  Field  network  VMs 

The  HMI  and  PLC  VMs  are  hosted  by  a  VMware  ESXi  hypervisor  on  a  Dell 
R610  server.  For  each  HMI-PLC  pair,  a  virtual  switch  connects  the  2  VMs.  Each 
virtual  switch  is  part  of  the  same  virtual  network.  The  virtual  network  is  also 
mapped  to  one  of  the  host  machine’s  network  interface  cards  (NICs)  and  this  NIC 
allows  external  access  to  the  virtual  network,  for  example,  to  the  attacker. 

2.3  PLC  Configuration 

Each  ModbusPal  virtual  PLC  instance  must  be  configured  with  a  set  number  of 
holding  registers  and  coils  to  simulate  the  corresponding  process  presented  in 
Figs.  1  and  2.  ModbusPal  was  configured  with  an  Extensible  Markup  Language 
(XML)-based  text  file  where  holding  registers  and  coils  are  defined  and  values 
specified.  The  values  of  holding  registers  and  coils  can  be  controlled 
programmatically  within  ModbusPal. 

In  Appendix  B.  ModbusPal  Tables,  we  list  the  detailed  configuration  information 
for  each  of  the  6  PLCs  controlling  the  6  processes  (see  Fig.  2): 

1 .  Chicken  cooker 
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2.  Vegetable  cooker 

3.  Meal  preparation  and  packaging 

4.  High-pressure  processing 

5.  Main  conveyor  belt 

6.  Packaging 

2.4  HMI  Configuration 

Each  virtualized  Mango  HMI  polls  its  respective  ModbusPal  PLC  for  its  values  of 
coils  and  holding  registers  every  10  seconds  (sec).  The  Mango  software  will  send 
Modbus  TCP  requests  to  ModbusPal  to  request  values  of  all  holding  registers  and 
coils  configured  for  this  experiment.  A  graphical  dashboard  will  also  be 
configured  to  provide  situational  awareness,  see  Fig.  4  for  the  overall  dashboard, 
which  represents  the  view  typically  seen  in  industrial  plants. 
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Fig.  4  Overall  plant  HMI  dashboard 


Snapshots  are  shown  of  the  6  Mango  HMIs  in  Figs.  5-10,  illustrating  the  HMI 
dashboards  of  each  of  the  6  processes. 
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Fig.  6  Vegetable  cooker  dashboard 
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Fig.  7  Meal  preparation  dashboard 
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Fig.  10  Product  packaging  dashboard 

3.  Execution  of  MRE  Test 

The  MRE  test  consists  of  2  parts — a  network  virtualization  test  and  a  simulated 
cyber-attack.  A  description  of  these  2  sub  tests  follows. 

3.1  Network  Virtualization  Subtest 

In  this  subtest,  we  will  validate  that  each  HMI-PLC  pair  of  VMs  has  network 
connectivity  and  that  the  network  paths  are  configured  correctly. 
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Step  1:  For  each  automation  process,  once  the  Mango  HMI  begins  polling  its 
respective  ModbusPal  instance,  capture  the  traffic  over  a  24-hour  (h)  period  using 
tcpdump. 

Step  2:  During  the  24-h  polling  process,  perfonn  spot  checks  to  verify  the  Mango 
HMI  is  receiving  measurements  in  compliance  with  the  values  listed  in 
Tables  2-7. 

Step  3:  Use  Wireshark  to  inspect  the  24-h  tcpdump  captures  and  check  for  any 
Internet  Control  Message  Protocol  (ICMP)  error  messages  in  the  tcpdump  files. 
The  condition  for  PASS  requires  that  no  ICMP  error  messages  exist  in  the 
tcpdump  files.  The  condition  for  FAIL  requires  that  one  or  more  ICMP  error 
messages  are  found.  If  ICMP  error  messages  in  the  tcpdump  files  are  discovered, 
investigate  the  reasons  and  correct  the  configuration. 

3.2  Simulated  Cyber  Attack 

This  subtest  simulates  a  cyber-attacker  sending  malicious  Modbus  messages  to  a 
PLC  to  change  the  values  of  coils.  The  Modbus  protocol  does  not  have  security 
capabilities  to  authenticate  messages  or  prevent  replay  attacks.2  As  a  result, 
anyone  (insider  or  external  threat  actor)  who  has  knowledge  of  the  process  map 
can  send  malicious  Modbus  messages  to  a  PLC  and  impact  an  automation 
process.  External  threat  actors  can  gain  knowledge  of  the  process  map  and  PLC 
ladder  logic  by  conducting  reconnaissance  of  the  plant  network  prior  to  an  attack. 

In  this  subtest,  we  will  conduct  a  manipulation  of  view  attack  on  the  Meal 
Preparation  ModbusPal  instance.  In  a  real  plant  environment,  this  attack  would 
cause  the  production  process  to  stop  while  plant  operators  investigate  the  cause. 

Step  1 :  On  an  external  laptop  connected  to  the  experiment  network,  use  the  Perl 
“ mbtgef'  script  to  change  the  Meal  Preparation  PLC  Robot  Ann  and  Sealing 
System  coil  values  to  “0”  (“Off’  state). 

Step  2:  Monitor  the  Meal  Preparation  process  Mango  HMI  dashboard.  The 
dashboard  should  show  the  Robot  Arm  and  Sealing  System  processes  are  in  an 
“Off”  state  and  an  alarm  should  be  visible.  The  test  is  a  PASS  if  the  Meal 
Preparation  dashboard  shows  both  processes  are  “Off”  and  alann  symbols  are 
displayed. 
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4.  MRE  Test  Results 


4.1  Network  Virtualization  Subtest 

The  tcpdump  data  captured  over  a  24-h  period  of  each  HMI-simulated  PLC  pair 
were  examined  using  Wireshark.  The  table  presents  the  number  of  packets 
captured  and  examined  for  each  HMI  and  simulated  PLC  pair.  The  number  of 
network  errors  are  also  listed.  Because  no  network  errors  were  found,  all  tests 
were  a  PASS. 


Table  Network  virtualization  test  results 


Automation  Process 

Number  of  Mango  HMI- 
ModbusPal  Packets  Captured 
over  24  h 

Number  of 
Network 
Errors 

Test  Results 
(PASS/FAIL) 

Chicken  cooker 

172,904 

0 

PASS 

Vegetable  cooker 

172,806 

0 

PASS 

Meal  preparation 

172,818 

0 

PASS 

High-pressure 

processing 

172,807 

0 

PASS 

Main  conveyor  belt 

172,803 

0 

PASS 

Product  packaging 

86,402 

0 

PASS 

For  each  automation  process,  the  Mango  HMI  polled  its  respective  ModbusPal 
application  every  10  sec.  In  each  polling  period,  Mango  HMI  issued  a  Modbus 
coil  read  request  and  waited  for  the  response.  After  receiving  the  coil 
measurements,  the  Mango  HMI  sent  a  holding  register  read  request  to  its 
respective  ModbusPal  application.  Therefore  in  each  10-sec  poll  interval, 
2  Modbus  read  requests  are  sent  and  2  responses  are  received  by  the  HMI. 

The  number  of  Modbus  packets  for  the  Product  Packaging  process  was  much  less 
than  the  other  automation  processes  because  Product  Packaging  only  used  holding 
registers.  Therefore,  in  each  10-sec  polling  interval,  Mango  sent  only  one  Modbus 
message  compared  to  2  in  the  other  automation  processes. 

4.2  Simulated  Cyber  Attack 

We  show  the  Meal  Preparation  HMI  dashboard  during  normal  operations  and 
after  the  attacker  has  sent  malicious  traffic,  in  Figs.  1 1  and  12,  respectively. 
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Robot  Arm 


product  Weight 


683.0  g 


Max  Weight  750.0  g 


Hin  weight  500.0 


Fig.  11  Meal  preparation  dashboard  before  cyber  attack 

Robot  Arm  L, 

sealing  system  ^  Q 


Product  weight 


578.0  g 


Max  weight  750.0  g 


Hin  weight  500.0 


Fig.  12  Meal  preparation  dashboard  after  cyber  attack 

The  attack  was  simulated  using  the  Perl  mbtget  script,  which  sent  Modbus  coil 
write  messages  to  the  Meal  Preparation  ModbusPal  to  set  the  coil  values  to  “0” 
(turn  the  process  offline).  The  small  yellow  triangles  with  an  “!”  symbol  in  the 
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upper  part  of  Fig.  12  are  alarms  that  have  consequently  sounded  in  the  Mango 
dashboard  for  this  critical  process. 

Fig.  13  is  a  screen  capture  of  the  Meal  Preparation  FIMI  alarm  panel.  The  loss  of 
the  Robot  Arm  and  Sealing  System  processes  are  listed  as  critical  alarms. 

i  Alan  Report  [Beta]  Legacy  Alaras  Page  Acknowledge  all  in  view  silence  all  in  view 

clear  Dates  Froa  |  -  |  |T|  to  |  |  — ■  | 


Fig.  13  Meal  preparation  alarm  panel  after  cyber  attack 

This  attack  would  have  resulted  in  a  shutdown  of  the  Meal  Preparation  process  if 
this  were  an  actual  plant.  The  test  result  is  PASS. 

5.  Conclusions 


This  experiment  demonstrates  that  virtualization  of  SCADA  components  is  an 
effective  means  to  simulate  a  production  plant’s  network  traffic  and  create  cyber¬ 
attack  scenarios.  The  VMs  and  guest  operating  systems  with  their  applications 
emulated  the  automation  components  found  in  a  plant  and  zero  packets  were  lost 
by  the  virtual  network.  The  virtual  environment  enabled  us  to  simulate  a  cyber¬ 
attack  on  a  commonly  used  Modbus  industrial  protocol.  We  will  leverage  the 
results  of  this  experiment  in  future  tests  to  protect  critical  infrastructure. 
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Appendix  A.  Experiment  Hardware  and  Software 
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Table  A-l  presents  each  hardware  component  with  a  description  of  its  use  and 
operating  system. 


Table  A-l  Hardware  list 


Platform 

Function 

Operating  System 

Mac  laptop  and  desktop 

Remote  access  to  Virtual 

Machines  (VMs),  configure 
applications  for  experiment 

OS  X  Mavericks 
(Version  10.9) 

Dell  R610 

Hosts  ESXi 

ESXi  5.5  hypervisor 

Dell  R710 

Software  development  and  testing 
of  applications 

CentOS  6.5 

Dell  PowerConnect  6224 

Network  switch 

Dell  Firmware 

The  software  for  this  experiment  is  presented  in  Table  A-2  for  each  hardware 
platform.  This  experiment  will  use  US  Army  Research  Laboratory  (ARL) 
licensed,  as  well  as  open  source  software  and  operating  systems. 

Table  A-2  Software  list 


Software 

Function 

Platform 

VirtualBox 

Hosts  Windows  Vista  on  Mac 
platforms 

Mac  laptop  and  desktop 
computers 

Windows  Vista 

Guest  OS  of  VirtualBox.  Enables  Mac 

Mac  laptop  and  desktop 

Enterprise 

users  to  access  ESXi  VMs  using 
vSphere  client. 

computers 

ESXi  5.5 

Hypervisor  to  host  guest  VMs 

Dell  R610 

vSphere  Client  5.5 

Remote  access  to  ESXi  VMs 

Mac  laptop  and  desktop 
computers 

CentOS  6.5 

Operating  system 

Dell  R7 1 0  and  each  VM 
hosting  the  simulated 

PLC  and  Mango  HMI 

Java  Software 
Development  Kit 
(JDK)  1.7 

Compile  ModbusPal  PLC  simulator 

Dell  R710 

Java  Runtime 
Environment  (JRE)  1.7 

Run  Mango  HMI  and  ModbusPal  PLC 
simulator 

Dell  R7 1 0  and  each  VM 

Eclipse 

Development  tool  to  program  the 
ModbusPal  PLC  simulator 

Dell  R710 

Perl  5.10.1 

Runs  mbtget  script  to  simulate  a  cyber 
attacker 

Cyber  attacker  VM,  Dell 
R710 

Mango 

HMI  which  polls  simulated  PLC 
(ModbusPal)  for  status  messages 

VMs  simulating  an  HMI 
workstation 

ModbusPal 

Simulates  a  PLC 

VMs  simulating  a  PLC 

mbtget 

Simulates  a  cyber  attacker.  Sends 
scripted  Modbus  messages  to 
simulated  PLCs. 

Cyber  attacker  VM 

tcpdump 

Captures  Modbus  packets 

Each  VM 
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Appendix  B.  ModbusPal  Tables 


17 


Tables  B-l  through  B-6  list  the  coil  and  holding  register  configuration  of  each 
ModbusPal  application  to  emulate  its  respective  Programmable  Logic  Controller 
(PLC)  depicted  in  the  Fig.  1  process  map. 

Table  B-l  Configuration  and  measurements  for  chicken  cooker  PLC 


Entity 

Holding 

Register 

Index 

Coil 

Index 

Allowed  Value 

Value  Set  for 
Experiment 

Data  Type 

Oven  Door 
Open/Closed 

1 

1  =  Oven  door  is 

OPEN 

0  =  Oven  door  is 

Closed 

0 

Bit 

Gas  Flow 
On/Off 

2 

1  =  Gas  turned  ON  to 

oven 

0  =  Gas  turned  OFF  to 
Oven 

1 

Bit 

Exhaust  Fan 
On/Off 

3 

1  =  Exhaust  Fan  is 

ON 

0  =  Exhaust  Fan  is 

OFF 

1 

Bit 

Conveyor  In 
Motion 

4 

1  =  belt  is  moving 
forward 

0  =  belt  is  stopped 

0 

Bit 

Oven 

Temperature 

(°F) 

1 

345-355  when  Oven 
is  ON 

ModbusPal 
automation  to 
randomly  choose 
values  between 
345-355 

2  Byte 
Signed 
Integer 

Oven 

Temperature 

Maximum 

(°F) 

2 

360 

360 

2  Byte 
Signed 
Integer 

Oven 

Temperature 

Minimum 

(°F) 

3 

340 

340 

2  Byte 
Signed 
Integer 

Cooking 

Time 

Remaining 

(min) 

4 

0-30 

ModbusPal 
automation  to 
linearly 

decrement  time 
from  30  to  0 

2  Byte 
Signed 
Integer 
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Table  B-2  Configuration  and  measurements  for  vegetable  cooker  PLC 


Entity 

Holding 

Register 

Index 

Coil 

Index 

Allowed  Values 

Value  Set  for 
Experiment 

Data  Type 

Oven  Door 

1 

1  =  Oven  door  is 

0 

Bit 

Open/Closed 

OPEN 

0  =  Oven  door  is 

Closed 

Gas  Flow 

2 

1  =  Gas  turned  ON  to 

1 

Bit 

On/Off 

oven 

0  =  Gas  turned  OFF  to 
Oven 

Exhaust  Fan 

3 

1  =  Exhaust  Fan  is 

1 

Bit 

On/Off 

ON 

0  =  Exhaust  Fan  is 

OFF 

Conveyor  In 

4 

1  =  Belt  is  moving 

0 

Bit 

Motion 

forward 

0  =  Belt  is  stopped 

Oven 

1 

370-380  when  Oven 

ModbusPal 

2  Byte 

Temperature 

is  ON 

automation  to 

Signed 

(°F) 

randomly 
choose  values 
between  370- 
380 

Integer 

Oven  Maximum 

2 

390 

390 

2  Byte 

Temperature 

Signed 

Alarm  Set  Point 
(°F) 

Integer 

Oven  Minimum 

3 

360 

360 

2  Byte 

Temperature 

Signed 

Alarm  Set  Point 
(°F) 

Integer 

Cooking  Time 

4 

0-20 

ModbusPal 

2  Byte 

Remaining 

automation  to 

Signed 

(min) 

linearly 

decrement  time 
from  20  to  0 

Integer 

Cooking  Time 

5 

20 

20 

2  Byte 

Duration  (min) 

Signed 

Integer 
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Table  B-3  Configuration  and  measurements  for  meal  preparation  and  packaging  PLC 


Entity 

Holding 

Register 

Index 

Coil 

Index 

Allowed  Values 

Value  Set  for 
Experiment 

Data 

Type 

Robot  Arm 
Online 

1 

1  =  Robot  Arm  is  in 
operation 

0  =  Robot  Arm  is 
offline 

1 

Bit 

Sealing  System 
Online 

2 

1  =  Sealing  System  is 
on  operation 

0  =  Sealing  System  is 
offline 

1 

Bit 

Exhaust  Fan 
On/Off 

3 

1  =  Exhaust  Fan  is 

ON 

0  =  Exhaust  Fan  is 

OFF 

1 

Bit 

Product  Weight 
(grams) 

1 

510-740  grams 

ModbusPal 
automation  to 
randomly  choose 
values  between 
510-740  grams 

2  Byte 
Signed 
Integer 

Product  Weight 
Maximum 

Alarm  Set 

Point  (grams) 

2 

750 

750 

2  Byte 
Signed 
Integer 

Product  Weight 
Minimum 

Alarm  Set 

Point  (grams) 

3 

500 

500 

2  Byte 
Signed 
Integer 
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Table  B-4  Configuration  and  measurements  for  high-pressure  processing  PLC 


Holding 

Coil 

Value  Set  for 

Entity 

Register 

Index 

Index 

Allowed  Value 

Experiment 

Data  Type 

Pressure  Door 

1 

1  =  Pressure  door  is 

0 

Bit 

Open/Closed 

OPEN 

0  =  Pressure  door  is 
Closed 

Water  Fill 

2 

1  =  Water  Fill  Pump 

0 

Bit 

Pump  On/Off 

is  ON 

0  =  Water  Fill  Pump 
is  OFF 

Pressure  Pump 

3 

1  =  Pressure  Pump  is 

1 

Bit 

On/Off 

ON 

0  =  Pressure  Pump  is 
OFF 

Product 

4 

1  =  Product  is  being 

1 

Bit 

Pressuring 

pressurized 

Process  On/Off 

0  =  Product  is  not 
being  pressurized 

Conveyor  Belt 

5 

1  =  Belt  is  moving 

0 

Bit 

In  Motion 

forward 

0  =  Belt  is  stopped 

Liquid  Level 

1 

40-60  %  when 

ModbusPal 

2  Byte 

Percent  (%) 

products  are  being 

automation  to 

Signed 

Full 

pressurized 

randomly  choose 
values  between 

Integer 

40-60 

Pressure  (MPa) 

2 

300-500  when 

ModbusPal 

2  Byte 

pressurizing  process 

automation  to 

Signed 

is  ON 

randomly  choose 
values  between 

Integer 

300-500 

Maximum 

3 

275 

275 

2  Byte 

Pressure  Alarm 

Signed 

Set  Point  (MPa) 

Integer 

Minimum 

4 

525 

525 

2  Byte 

Pressure  Alarm 

Signed 

Set  Point  (MPa) 

Integer 

Pressuring  Time 

5 

0-20 

ModbusPal 

2  Byte 

Remaining  (s) 

automation  to 

Signed 

linearly 

decrement  time 
from  20  to  0 

Integer 
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Table  B-5  Configuration  and  measurements  for  main  conveyor  belt  PLC 


Entity 

Holding 

Register 

Index 

Coil 

Index 

Allowed  Value 

Value  Set  for 
Experiment 

Data  Type 

Conveyor  Belt 

In  Motion 

1 

1  =  Belt  is  moving 

0  =  Belt  is  stopped 

1 

Bit 

Motor  Oil 
Temperature 

1 

80-150  °F 

ModbusPal 
automation  to 
randomly  choose 
values  between 
80-150 

2  Byte 
Signed 
Integer 

Motor  Oil 

Level  (%  Full) 

2 

45-70%  full 

ModbusPal 
automation  to 
randomly  choose 
values  between 
45-70 

2  Byte 
Signed 
Integer 

Speed  (surface 
feet  per  minute 
[FPM]) 

3 

55-70  FPM  when  the 
conveyor  belt  is 
moving 

ModbusPal 
automation  to 
randomly  choose 
values  between 
55-70 

2  Byte 
Signed 
Integer 

Table  B-6  Configuration  and  measurements  for  packaging  PLC 


Ho'ding  Coj| 

Value  Set  for 

Entity 

Register 

T  ,  Index 

Index 

Allowed  Value 

Experiment 

Data  Type 

Packing  Tape 

1 

0-100% 

ModbusPal 

2  Byte 

Available 

automation  to 

Signed 

(%  Full) 

linearly  decrease 
percentage  from 

100  to  0 

Integer 

Ink  Level  (%) 

2 

0-100% 

ModbusPal 

2  Byte 

automation  to 

Signed 

linearly  decrease 
percentage  from 

100  to  0 

Integer 

Shipping 

3 

150-200  lbs 

Used  ModbusPal 

2  Byte 

Container 

automation  to 

Signed 

Weight  (lbs) 

randomly  set  value 
between  150  to 

Integer 

200 

Shipping  Box 

4 

0-100% 

ModbusPal 

2  Byte 

Inventory 

automation  to 

Signed 

(%) 

linearly  decrease 
percentage  from 

100  to  0. 

Integer 
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List  of  Symbols,  Abbreviations,  and  Acronyms 


ACAL 

US  Army  Cyber  Analytics  Laboratory 

ARL 

US  Army  Research  Laboratory 

FPM 

feet  per  minute 

h 

hour 

HMI 

human  machine  interface 

ICMP 

Internet  Control  Message  Protocol 

ICS 

Industrial  Control  Systems 

JDK 

Java  Development  Kit 

JRE 

Java  Runtime  Environment 

Mac 

Macintosh 

MRE 

Meals-Ready-to-Eat 

NIC 

network  interface  card 

PLC 

programmable  logic  controller 

OS 

operating  system 

SBNAB 

Sustaining  Base  Network  Assurance  Branch 

SCADA 

Supervisory  Control  and  Data  Acquisition 

sec 

second(s) 

TCP 

transmission  control  protocol 

VM 

Virtual  Machine 

XML 

Extensible  Markup  Language 
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